FYI OpenVPN was assigned an official port number by IANA recently. It now officially uses port 1194 for both TCP and UDP communications. All versions of OpenVPN starting with 2.0 beta 17 will now default to port 1194 instead of 5000. You can, of course, continue to use port 5000, or any port your want by using the --port option._________________Do you know what a usufruct is?

I have no idea who my CA authority is...
Can someone explain this to me? Does someone know a good page
that explains this whole encryption-thing in detail?? I realy don't understand this

Here is the educational info: http://en.wikipedia.org/wiki/Certificate_authority
You can be your own CA if you choose to do so. There is a section in this topic (page 1) provides you information on how to sign your own certificate. If you are in coporate settings, check with your system administrator and he can tell you if you have a CA server on your coporate LAN. Hope this help.

One thing to keep in mind is that Verisign and Thawte and the like are also CA's, but you don't want to use them for your certificate. The reason why is that by default, OpenVPN will let any two peers connect to each other if both ther certificates are signed by the same CA. So, if you used a certificate from Verisign or Thawte, then anyone else whose certificate was signed by Verisign or Thawte would be allowed to connect too. OpenVPN has several methods to prevent this from happening, incuding HMAC authentication, scripting to check the "common name" and fingerprints of certificates, and even support for accepting a username and password (in 2.0 beta 12 and later) along with (or in lieu of) a certificate.

Bottom line, once you figure out what a CA is, you're going to want to use your own internal CA and not an outside one._________________Do you know what a usufruct is?

It seems I'm really close to having openvpn working by following this excellent HOW-TO. I can start openvpn on the server and client and the logs indicate they are connecting properly. However, I cannot ping anything. I believe it's a routing issue that I don't understand enough to sort out. Is there a route command I need to run on the server and/or client which I've missed? The one suggested in the HOW-TO troubleshooting section hasn't made a difference.

I don't mess around enough with windows to offer you specific answers, but I will say this: don't try to add a bunch of features all at once. Start with the bare basics (no push/pull, no routing instructions, no hmac, no nothing); just get a tunnel up and running between the two machines. Manually assign the ip addresses and routing. Once you get that working, add the other features in one at a time and verify that the connection still works each time. That makes it immensely easier to figure out what in the hundreds of options available is causing the problem. Begin by adding the routing and push/pull commands before adding extra security and encryption._________________Do you know what a usufruct is?

I had to reboot the server (kernel upgrade) an now I cannot connect via OpenVPN. I went through my notes thinking I missed something in the config that was lost on reboot, but all is as expected. Both the client and server certs check out with at status of "OK". I've made sure the tap0 interface is enabled on the firewall:

The server log never shows any additional entries while the client is attempting to connect._________________Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter.

Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.

One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.)_________________Do you know what a usufruct is?

Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.

One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.)

Good advice, so I followed it.

First I upgraded to 2.0-beta19 and reconfigured the firewall for port 1194. With a stripped down config on both client and server, I built up what was needed based on log error messages and warnings. Leaving out all the mtu adjustments in the config files seemed to be the hitch.

I've now been able to restore full connectivity.

Thanks again for the good pointers..._________________Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter.

First of all, thanks for the howto. It really saved me a lot of work to figure this thing out
myself I have OpenVPN running fine now. However, there is still one problem. I hope you can help.
This is my situation:

I have a Gentoo-server at my company. This is the OpenVPN-server.
This Server has 2 network-cards. One is connected to an ADSL-modem and has
10.0.0.150 as IP-address. The other card has 192.168.1.1 as IP-address and connects
the OpenVPn-server to the local network of my company (192.168.1.xxx) so:

I have my own Gentoo-server at home, this is the OpenVPN-client. It also has 2
network-cards. One is for internet/ADSL and has 10.0.0.150 as IP-address.
The other one connects the server to my own LAN (192.168.0.xxx) and has
192.168.0.1 as IP-address. so:

The problem
I need to access my company's LAN (192.168.1.xxx) from my server.
When I do:

Code:

ssh 10.1.0.1

it works fine. But when I do:

Code:

ssh 192.168.1.1

I get no responce.
What's the real goal here. I need to access one of the windows servers in my
company's LAN from an OpenVPN client. When I have this working, some people
here can access the company's LAN from their home's
So if anyone can tell me what to do??
The tap-devices are in the FORDWARD-cain and set to accept.

First, make sure the gentoo server at your company has firewall rules and routing set up to allow packets on the vpn interface. (I'm assuming it does since you said other people can get to it just fine.)

Second, you need to set up a route telling your home computer where to find the 192.168.x.x network. Your computer doesn't know that 192.168.x.x is on the other side of the vpn tunnel. Try this:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1

If that works, then you need to find a way to set that route every time OpenVPN starts. You can do this by a networking init script, or in the OpenVPN config file itself. Check the OpenVPN manpage for details._________________Do you know what a usufruct is?

Check your netmask on the work machine. 10.x.x.x defaults to 255.0.0.0, and 192.168.x.x defaults to 255.255.255.0. Last time I had issues with routing it was because I had several 10.x.x.x networks with different netmasks. If 10.1.0.x has a 255.255.255.0 on one end, and 255..0.0.0 on the other, it might not work.

Short of that, I'm not sure._________________Do you know what a usufruct is?

Thank you very much for this how-to. So far it has been amazing. However, I am stuck on a certain point that I am unable to figure out. My situation is this: I am trying to set up a VPN for a PITA client that needs terminal services access to a Win2k server machine. I need to Win2k machine protected by a firewall. After a lot of head pounding, I found this how-to and am so close I can taste it. Here is how this thing is set up:

Client --> Internet --> Linux (OpenVPN / IPTables / NAT) -> Win2k
The linux box has a public IP address on eth0 and a 10.10.10.1 / 255.255.255.0 on eth1. The win2k machine is at 10.10.10.13 and is the only machine on the subnet. The only purpose of the linux box is A. to protect that win2k machine and B. act as a VPN server.

I have the client connecting and I am seeing no errors in either the client or the server log. However, I am unable to ping the vpn gateway by its private ip, nor can I ping the client machine from the vpn gateway, and I cannot ping the win2k machine (inside the lan) from the client machine. I am not sure what is wrong. I have checked and port forwarding is on:

Well I got in to work this morning and figured it out. I was trying to use the same subnet for both the physical and the virtual. B/c of this, my tap0 and eth1 both had the same IP. I moved the virtual network over to a different subnet, and now all seems to be working swimmingly.

Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?

A: There are two options.
1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route.
Code:
route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3
Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.
2) Use ethernet bridge.

So its a fairly typically basic setup to start out with. Right now the only issue i have is i cant seem to get routing correctly to route 10.0.0.0 traffic to my local network, 10.0.0.98 (vpn server) works fine, but 10.0.0.1 (dns server) fails.